Manage encrypted network traffic using DNS responses

ABSTRACT

Managing encrypted network traffic using Domain Name System responses includes requesting an address associated with a domain name from a resolution server, the domain name included in a predetermined set of domain names for which secure requests are to be identified; receiving a response from the resolution server including one or more addresses associated with the domain name; associating with the domain name a particular address selected from the received addresses; receiving a request to resolve the domain name; sending a response to the domain name resolution request, the response including the particular address associated with the domain name; receiving a secure request for a resource, the secure request directed to the particular address associated with the domain name; and determining that the secure request is directed to the domain name based on the association between the particular address and the domain name.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation application of and claims priority toU.S. application Ser. No. 14/280,513, filed on May 16, 2014.

BACKGROUND

This specification generally relates to managing encrypted networktraffic using Domain Name System (DNS) responses.

In corporate and other networks, devices connected to the network mayrequest resources on the network itself, or on external networks such asthe Internet. These resources may include websites, file transferservices, servers, or other network resources. In some cases, thisrequest may be made according to a secure protocol such as HypertextTransfer Protocol Secure (HTTPS), Secure Socket Layer (SSL), TransportLevel Security (TLS), or other protocols. The requested resources may beassociated with domain names. A device may query a domain name serverusing the Domain Name System (DNS) protocol to determine an addresscorresponding to a given domain name.

SUMMARY

In general, one aspect of the subject matter described in thisspecification may be embodied in systems, and methods performed by dataprocessing apparatuses that include the actions of requesting an addressassociated with a domain name from a resolution server, the domain nameincluded in a predetermined set of domain names for which securerequests are to be identified; receiving a response from the resolutionserver including one or more addresses associated with the domain name;associating with the domain name a particular address selected from thereceived one or more addresses; receiving a request to resolve thedomain name; sending a response to the request to resolve the domainname, the sent response including the particular address associated withthe domain name; receiving a secure request for a resource, the securerequest directed to the particular address associated with the domainname; and determining that the secure request is directed to the domainname based on the association between the particular address and thedomain name.

Details of one or more implementations of the subject matter describedin this specification are set forth in the accompanying drawings and thedescription below. Other features, aspects, and potential advantages ofthe subject matter will become apparent from the description, thedrawings, and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of an example environment.

FIG. 2 is a message flow diagram of an example interaction between thecomponents of the example environment to selectively block a securerequest using DNS responses.

FIG. 3 is a message flow diagram of an example interaction between thecomponents of the example environment to selectively decrypt a securerequest using DNS responses.

FIG. 4 is a flow chart of an example process of managing encryptednetwork traffic using DNS responses.

FIG. 5 is a diagram of computing devices that may be used to implementthe systems and methods described in this document.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

In corporate and other networks, secure connections to resources on theInternet are often identified by either a certificate associated withthe connection, such as an SSL certificate, or by the address associatedwith the connection. For certain Internet resources, such an approachcan be problematic. For example, some larger network entities may use amaster SSL certificate for all services they operate, such that thedomain name assigned to the SSL certificate may be a wildcard domainsuch as “*.sample1.com.” In such a case, managing access to individualservices owned by the network entity may be difficult, as multipleservices may share the same wildcard certificate. For example, a networkowner desiring to block access to a video streaming site mayinadvertently block access to a search engine owned by the same entity,as both sites may share the same certificate. Similarly, some networkentities use shared addresses across services, such that blocking anaddress may have the same effect. When requests are made for networkservices using a secure protocol such as HTTPS, determining the addressrequested by the request may not be possible without decrypting therequest.

Accordingly, the present disclosure describes techniques for managingsecure network traffic using DNS responses. One example method includesassociating a particular address with a particular domain name from aset of addresses associated with the domain name. For example, theparticular address may be an Internet Protocol (IP) address selectedfrom multiple IP addresses returned by a Domain Name Service (DNS)server for the domain name. The particular address may then be providedto network clients in response to DNS queries for the particular domainname. Subsequently, when a secure request directed to that particularaddress is received, the secure request can be determined to be directedto the particular domain name without decrypting the secure request. Inthis manner, the secure request can be selectively blocked based on theparticular domain name. The secure request can also be selectivelydecrypted based on the particular domain name and its contents examinedto determine how to handle the secure request.

The techniques described herein may provide several advantages. Byassociating the particular address with the domain name, a network ownermay determine the domain name that a secure request is directed towithout decrypting the secure request. Such functionality may allow anetwork owner to selectively apply security measures without decrypting,which affords greater privacy to users of the network. A network ownermay also be able to block access to only certain services operated by alarge network entity, as the techniques here do not rely on the domainname included in an SSL certificate to determine the destination for therequest. Secure traffic may also be selectively decrypted, such thatsensitive traffic, such as a user's personal email, may remainencrypted, while other non-sensitive encrypted traffic, such as requestsfor a video streaming site, may be decrypted and examined. Further, incases where the same IP address is associated with multiple domain namesowned by the same entity, the techniques described herein may be used todifferentiate traffic directed to the different domain names withoutdecrypting.

FIG. 1 is a diagram of an example environment 100. As shown, the exampleenvironment includes an internal network 110. A plurality of devices 130a-c are connected to the internal network 110. The example environment100 also includes a network management system 120. The networkmanagement system 120 is connected to a database 160, and the Internet150. A DNS server 140 and a website 180 are connected to the Internet150.

In operation, the network management system 120 determines that a domainname is to be identified. In some implementations, the networkmanagement system 120 may consult the database 160 to determine that thedomain name is included in a predetermined set of domain names to beidentified. In some implementations, the network management system 120may determine that a domain name is to be identified in response to arequest sent from the devices 130 a-c over the internal network 110 toresolve the domain name.

In some implementations, if the network management system 120 determinesthat the domain name is to be identified, the network management system120 determines a particular address to associate with the domain name.The particular address may be an IP address, an IP address and portcombination, or another type of address.

In some cases, the network management system 120 may consult thedatabase 160 to determine the particular address. For example, thedatabase 160 may include an association of the domain name and aparticular address. The association may be determined from previousrequests to resolve the domain name and stored in the database 160. Thenetwork management system 120 may also select the particular addressbased on a response from a resolution server. A resolution server mayprovide one or more addresses that are associated with a domain name. Insome implementations, a resolution server may be a DNS server. In theillustrated example, the network management system 120 may send arequest to the DNS server 140. In some implementations, the request maybe a DNS request. In response to the request, the DNS server 140 sends aresponse to the network management system 120. In some implementations,the response may be a DNS response. The response may include one or moreaddresses associated with the domain name. The network management system120 may select a particular address from the one or more addresses inthe response and, associate with the domain name the particular address.In some implementations, the network management system 120 may selectmore than one particular address from the one or more addresses in theresponse and associate the selected addresses with the domain name.

In some implementations, the devices 130 a-c may send a request, such asa DNS request, over the internal network 110 to resolve the domain name.Upon determining the particular address associated with the domain name,the network management system 120 may send a response, such as a DNSresponse, to the requesting device including the particular addressassociated with the domain name. Upon receiving the particular address,the requesting device may send a secure request directed to theparticular address. In some implementations, the secure request may be arequest formatted according to the HTTPS protocol. In someimplementations, the network management system 120 may receive thesecure request. The network management system 120 may then determinefrom the particular address a domain name associated with the securerequest. Such a determination is usually not possible without decryptingthe secure request, because the requested domain name is included withinthe encrypted payload. However, by associating the particular addresswith the domain name when processing the DNS query, the networkmanagement system 120 may determine that a secure request to theparticular address is directed to the domain name without decrypting thesecure request.

In some implementations, the network management system 120 mayselectively decrypt the received secure request based on one or moremonitoring rules 164 stored in the database 160. The network managementsystem 120 may examine the contents of the secure request afterdecrypting in order to determine how to handle the secure request. Forexample, the network management system 120 may forward or block thereceived secure request based on the contents of the decrypted request.In some implementations, the network management system 120 may determinewhether to forward or block the secure request without decrypting therequest.

As shown, the example environment 100 includes an internal network 110.In some implementations, the internal network 110 may be a wirelessnetwork provided by a corporation, educational institution,municipality, business, or other entity. Such a wireless network mayutilize any standard wireless networking technology, including 802.11a,802.11b, 802.11g, 802.11n, LTE, WiMax, CDMA or any other suitablewireless networking technology. In such implementations, the wirelessnetwork may be a public network in the sense that any device withinrange may connect to the network. Even though any device within rangemay connect to the internal network 110 in such configurations, thedevice still may be required to authenticate in order to accessresources on the internal network 110 and/or on the Internet 150. Such aconfiguration is often referred to as a Bring Your Own Device (BYOD)network in which users are free to use their own personal devices forconnecting to the network. In some implementations, the entity thatcontrols the internal network 110 may issue devices to users for use onthe internal network 110. The internal network 110 may also be a wirednetwork, such as an Ethernet network.

The example environment 100 also includes one or more devices 130 a-cconnected to internal network 110. In some implementations, the one ormore devices 130 a-c include mobile devices, such as cellular telephones(e.g., 130 a), smartphones, tablets, laptops (e.g., 130 b) and othersimilar computing devices. The one or more devices 130 a-c may alsoinclude wired devices such as desktop computer 130 c. The one or moredevices 130 a-c may also include servers. In some implementations, theone or more devices 130 a-c include personal devices associated with oneor more users. The one or more devices 130 a-c may also include devicesissued or owned by the entity that provides the internal network 110,such as company-issued smartphones or laptops. In some implementations,the one or more devices 130 a-c may include network access or webbrowsing software (e.g., a web browser) for accessing resources on theInternet 150.

The network management system 120 is connected to the internal network110. As described above, the network management system 120 may beoperable to receive DNS queries from the one or more devices 130 a-c,selectively return particular addresses in response to the DNS queries,and monitor secure requests sent by the one or more devices 130 a-cdirected to the Internet 150. In some implementations, the networkmanagement system may be a server or set of servers connected to theinternal network 110. The network management system 120 may beconfigured as a gateway between the internal network 110 and theInternet 150, such that traffic directed to the Internet 150 passesthrough the network management system 120. The network management system120 may also be configured to passively monitor traffic on the internalnetwork 110, such as in a tap or span configuration. In someimplementations, the network management system 120 may receive part ofthe traffic directed to the Internet 150, such that traffic directed todomain names to be identified passes through the network managementsystem 120, the traffic directed to domain names that are not to beidentified does not pass through the network management system 120. Insome implementations, the DNS functionality and the monitoringfunctionality of the network management system 120 may be implemented onseparate servers in communication and coordination with one another.

The network management system 120 includes a DNS handler 122. Inoperation, the DNS handler 122 may receive DNS requests from the one ormore devices 130 a-c connected to the internal network 110. The DNShandler 122 may consult monitoring rules 164 stored in the database 160(discussed below) to determine whether to select a particular address inresponse to a particular DNS query. For example, the monitoring rules164 may specify that all traffic to the domain name “www.sample1.com”should be identified. In such a configuration, the DNS handler 122 mayrespond to a DNS request to resolve the domain name “www.sample1.com”with a particular address. In some implementations, the particularaddress may be one or more addresses associated with the domain name“www.sample1.com.” For example, the domain name “www.sample1.com” may beassociated with addresses “24.24.24.1 . . . 24.24.24.10” as shown inFIG. 1. In such a case, the addresses “24.24.24.1 . . . 24.24.24.10” maybe included in a DNS response for the domain name “www.sample1.com” fromthe DNS server 140. The DNS handler 122 may select the address“24.24.24.1” as the particular address associated with“www.sample1.com.” The DNS handler 122 may note this association betweenthe domain name from the DNS query and the returned particular addressin the database 160 (described below) as an address association 162. TheDNS handler 122 may consult with address associations 162 in thedatabase 160 to determine the particular address associated with the“www.sample1.com.”

In some implementations, if the DNS handler 122 determines that thedomain name in a DNS request is not to be identified, the DNS handler122 may return some or all of the addresses associated with therequested domain name. For example, in response to a request for anaddress corresponding to “www.sample1.com” in the situation that thatdomain name was not being identified, the DNS handler 122 may return allthe addresses corresponding to the website 180 (e.g., “24.24.24.1 . . .24.24.24.10”). In some implementations, the DNS handler 122 may cachethese DNS entries and provide information in the cached entries inresponse to DNS requests for domain names that are not to be identified.

The network management system 120 also includes a monitoring engine 124.In operation, the monitoring engine 124 receives secure requests fromthe one or more devices 130 a-c that are directed to the particularaddresses. The monitoring engine 124 may consult the addressassociations 162 in the database 160 (described below) to determine adomain name associated with the secure request received on a particularaddress. Based on the domain name, the monitoring engine 124 maydetermine how to handle the secure request. For example, the monitoringengine 124 may identify a monitoring rule 164 associated with the domainname “www.sample1.com.” The monitoring engine 124 may receive a securerequest directed to “24.24.24.1,” the particular address associated withthe domain name “www.sample1.com.” The monitoring engine 124 maydetermine that the monitoring rule 164 associated with this domain nameindicates that the monitoring engine 124 should forward the securerequest on to the server associated with the domain name. In response,the monitoring engine 124 may forward the secure request to the website180 associated with the particular address (e.g., “24.24.24.1”). If themonitoring engine 124 determines that the monitoring rule 164 indicatesthat the request should be blocked, the monitoring engine 124 may blockthe request. In some implementations, the monitoring engine 124 may senda redirect response to the request. In some implementations, theredirect response may include an address associated with a blocknotification page.

In some implementations, the monitoring engine 124 may selectivelydecrypt secure requests received on the particular addresses based onthe monitoring rules 164. Based on the contents of the decrypted securerequest, the monitoring engine 124 may forward, block, or otherwisehandle the secure request. For example, the monitoring engine 124 mayexamine the headers of the decrypted secure request, and determine thatthe request has a referrer header prohibited by the associatedmonitoring rule 164. In response, the monitoring engine 124 may blockthe secure request. In some implementations, the monitoring engine 124may modify the decrypted secure request based on the monitoring rules164. For example, the monitoring engine 124 may replace the referrerheader in the secure request with a different referrer header. Themonitoring engine 124 may then re-encrypt the decrypted secure request,and forward it to the website 180 associated with the particular address(e.g., “24.24.24.1”).

Although the DNS handler 122 and the monitoring engine 124 are shown asseparate components, in some implementations the two components may becombined. In some cases, the two components may be separate moduleswithin a single software process. The DNS handler 122 and monitoringengine 124 may also be located on separate servers connected to theinternal network 110. The monitoring engine 124 may be in communicationwith one or more monitoring servers to which secure requests to aparticular address are sent. The monitoring servers may communicate withthe monitoring engine 124 in order to determine how to handle securerequests received.

The database 160 is connected to the network management system 120. Insome implementations, the database 160 may be stored on the same serveras the network management system 120. The database 160 may also bestored on a separate server and accessed by the network managementsystem 120 over a network. The database 160 may be any proprietary orcommercially available database system or format, including, but notlimited to, MySQL®, Microsoft® SQLServer, IBM® DB2, Oracle®, SQLite, orany other suitable database system or format. The database 160 may alsobe a distributed database running on a plurality of servers. In someimplementations, the database 160 may be a configuration file or set ofconfiguration files associated with the network management system 120.

The database 160 includes address associations 162. In someimplementations, the address associations 162 are stored in one or moredatabase tables mapping domain names to particular addresses. In someimplementations, the particular address may be an IP address, an IPaddress and port combination, or another type of address. In someimplementations, the particular addresses are unique such that anyparticular address is associated with one domain name. For example, thedomain name “www.sample1.com” is associated with the particular address“24.24.24.1” as shown in FIG. 1. This association may be stored in theaddress associations 162. If the DNS handler 122 receives a responsefrom the DNS server 140 indicating that the domain name“www.sample2.com” is associated with addresses “24.24.24.1 . . .24.24.24.5,” the DNS handler 122 may consult with the addressassociation 162 and remove the address “24.24.24.1” from the list ofaddresses provided by the DNS server 140. The DNS handler 122 may selectone or more addresses in “24.24.24.2 . . . 24.24.24.5” as the particularaddresses associated with the domain name “www.sample2.com” and send aresponse to the requesting device including the selected particularaddresses.

Database 160 also includes monitoring rules 164. In someimplementations, the monitoring rules 164 may specify actions to beperformed for traffic directed to a particular domain name. For example,a monitoring rule 164 may specify that traffic for the domain name“www.sample1.com” should be directed to a particular address, that allthe traffic directed to the domain name “www.sample1.com” be decrypted,and traffic including a referrer header of “www.badguy.com” should beblocked.

The DNS server 140 receives requests from the network management system120. The requests may include queries to resolve domain names. Inresponse to the requests, the DNS server 140 sends responses to thenetwork management system 120. The responses may include one or moreaddresses associated with the domain name. In the illustrated example,the DNS server 140 is connected to the Internet 150. The DNS server 140may also be a local DNS sever connected to the internal network 110. TheDNS server 140 may also forward the requests to other DNS servers toresolve the domain names and, forward the received responses back to thenetwork management system 120. In some cases, the DNS server 140 may bea server controlled by an entity other than the owner of the internalnetwork 110.

FIG. 2 is a message flow diagram of an example interaction between thecomponents of the example environment to selectively block a securerequest using DNS responses. At 205, the network management system 120determines that “www.sample1.com” is a domain name to be identified. Thenetwork management system 120 consults the database 160 to determinethat “www.sample1.com” is included in a predetermined set of domainnames to be identified. In some cases, the network management system 120determines that “www.sample1.com” is a domain name to be identified inresponse to a request from the device 130 a to resolve the domain name“www.sample1.com.”

At 210, the network management system 120 sends a DNS request for“www.sample1.com” to the DNS server 140. At 215, the DNS server 140sends a DNS response including the addresses “24.24.24.1 . . .24.24.24.10” that are associated with “www.sample1.com.” At 220, thenetwork management system 120 interacts with the database 160 toassociate the domain name “www.sample1.com” with the particular address“24.24.24.1.” The particular address “24.24.24.1” is selected from theaddresses “24.24.24.1 . . . 24.24.24.10” included in the DNS responsereceived from the DNS server 140 (at 215). In some implementations, thenetwork management system 120 inserts a new row into a table storing theaddress associations 162 (shown in FIG. 1). Selecting the particularaddress may include removing an address that is associated with otheridentified domain names from the addresses included in the DNS responsereceived from the DNS server 140.

At 225, the device 130 a sends a DNS request for “www.sample1.com” tothe network management system 120. As previously described, this mayalso occur prior to 205, which can be performed in response to receivinga DNS request. At 230, the network management system 120 sends a DNSresponse including the particular address “24.24.24.1” associated with“www.sample1.com.” At 235, the device 130 a sends an HTTPS request for“www.sample1.com” to the particular address “24.24.24.1.” In someimplementations, the request may be sent using a secure protocol otherthan HTTPS.

At 240, the network management system 120 consults the database 160 toidentify the domain name associated with “24.24.24.1.” In someimplementations, the network management system 120 may query the addressassociations 162 (shown in FIG. 1) in the database 160 to determine that“www.sample1.com” is associated with “24.24.24.1.”

At 245, the network management system 120 determines whether the requestshould be blocked. In some implementations, the network managementsystem 120 may consult the database 160 for a monitoring rule 164 (shownin FIG. 1) associated with “www.sample1.com.” If the network managementsystem 120 determines that the request should be blocked, at 250, thenetwork management system 120 blocks the request. In someimplementations, as described previously, blocking the request mayinclude sending a redirect response to the device 130 a. Blocking therequest may also include sending a response to the secure request, suchas, for example, a Hypertext Markup Language (HTML) page indicating thatthe request was blocked. In some implementations, the redirect responsemay include an address associated with such a block notification page.Blocking the request may also include dropping the request. If thenetwork management system 120 determines that the request should not beblocked, at 255, the network management system 120 forwards the requestto the website 180 corresponding to the domain name “www.sample1.com.”

FIG. 3 is a message flow diagram of an example interaction between thecomponents of the example environment to selectively decrypt a securerequest using DNS responses. At 305, the device 130 a sends a DNSrequest for “www.sample1.com” to the network management system 120. At310, the network management system 120 sends a DNS response includingthe particular address “24.24.24.1” associated with “www.sample1.com.”In some implementations, as described previously, the network managementsystem 120 may determine the particular address “24.24.24.1” based on aresponse from the DNS server 140. The network management system 120 maydetermine the particular address “24.24.24.1” by consulting with thedatabase 160.

At 315, the device 130 a sends an HTTPS request for “www.sample1.com” tothe particular address “24.24.24.1.” In some implementations, therequest may be sent using a secure protocol other than HTTPS. At 320,the network management system 120 consults the database 160 to identifythe domain name associated with “24.24.24.1.” In some cases, the networkmanagement system 120 may query the address associations 162 (shown inFIG. 1) in the database 160 to determine that “www.sample1.com” isassociated with “24.24.24.1.”

At 325, the network management system 120 determines that the requestshould be decrypted. The network management system 120 may consult thedatabase 160 for a monitoring rule 164 (shown in FIG. 1) associated with“www.sample1.com” to determine that the request should be decrypted. At330, the network management system 120 decrypts the request and examinesits contents to determine whether the request should be blocked. If thenetwork management system 120 determines that the request should beblocked, at 335, the network management system 120 blocks the request.In some implementations, as described previously, blocking the requestmay include sending a redirect response to the device 130 a. Theredirect response may include an address associated with a blocknotification page. In some cases, blocking the request may includedropping the request. If the network management system 120 determinesthat the request should not be blocked, at 340, the network managementsystem 120 forwards the request to the website 180 corresponding to thedomain name “www.sample1.com.” In some implementations, as describedpreviously, the network management system 120 may modify the decryptedsecure request and re-encrypt the modified secure request.

FIG. 4 is a flow chart of an example process 400 of managing encryptednetwork traffic using DNS responses. At 405, an address associated witha domain name from a resolution server is requested. In someimplementations, the request may be sent in a DNS request. In someimplementations, the domain name may be included in a predetermined setof domain names for which secure requests are to be identified. In someimplementations, the request may be performed in response to receiving arequest to resolve the domain name. At 410, a response from theresolution server including one or more addresses associated with thedomain name is received. In some implementations, the response may bereceived in a DNS response.

At 415, the domain name is associated with a particular address selectedfrom the received one or more addresses. In some implementations, theassociation may be made by consulting a database (e.g., 160). In somecases, the particular address may be an IP address, an IP address andport combination, or another type of address.

At 420, a request to resolve the domain name is received. In someimplementations, the request to resolve the domain name may be a DNSrequest. At 425, a response to the request to resolve the domain name issent. In some implementations, the response may be sent in a DNSresponse. In some implementations, the sent response may include theparticular address associated with the domain name.

At 430, a secure request for resource is received. The secure requestmay be directed to the particular address associated with the domainname. In some implementations, the secure request may be an HTTPSrequest. At 435, a determination is made that the secure request isdirected to the domain name based on the association between theparticular address and the domain name. In some implementations, thesecure request is selectively blocked based at least in part ondetermining that the secure request is directed to the domain name. Insome implementations, the secure request is selectively decrypted basedat least in part on determining that the secure request is directed tothe domain name. In some implementations, selectively decrypting thesecure request may include determining that the secure request should bedecrypted based at least in part on one or more rules, and decryptingthe secure request to generate decrypted information. In someimplementations, the decrypted information may be inspected in order todetermine whether to forward, block, and/or modify the secure request.In some implementations, the modified decrypted information may bere-encrypted before forwarded to an address associated with the domainname. In some implementations, blocking the secure request includessending a redirect response to the secure request. In someimplementations, the redirect response includes an address associatedwith a block notification page. In some implementations, blocking therequest may include dropping the request.

Receiving the secure request may include establishing a first secureconnection with a sender of the secure request, and establishing asecond secure connection with an address associated with the resourceafter establishing the first secure connection with the sender. Such anapproach is generally known as a “client first” procedure.

In some implementations, receiving the secure request may includeestablishing a first secure connection with an address associated withthe resource, and establishing a second secure connection with a senderof the secure request after establishing the first secure connectionwith the address associated with the resource. Such an approach isgenerally known as a “server first” procedure.

In some cases, a request to resolve a second domain name different thanthe first domain name is received. A determination is made that thesecond domain name is not included in the predetermined set of domainnames and, a response to the request to resolve the second domain nameis sent including an address corresponding to the second domain. In someimplementations, if the second domain name is not included in thepredetermined set of domain names, the request to resolve the seconddomain name may be forwarded to a resolution server, and the responsefrom the resolution server may be forwarded back to the requester.

The domain name may be a first domain name and an address associatedwith a second domain name different than the first domain name may berequested. A second response from the resolution server may be received.The second response may include one or more addresses associated withthe second domain name, where the one or more addresses associated withthe second domain name may include the particular address associatedwith the first domain name. In some implementations, the second responsemay be modified to remove the particular address associated with thefirst domain name.

In some implementations, a second request to resolve the domain name isreceived. A determination is made that the domain name is associatedwith the particular address, and a response is sent to the secondrequest to resolve the domain name, where the response includes theparticular address.

FIG. 5 is a block diagram of computing devices 500, 550 that may be usedto implement the systems and methods described in this document, aseither a client or as a server or plurality of servers. Computing device500 is intended to represent various forms of digital computers, such aslaptops, desktops, workstations, personal digital assistants, servers,blade servers, mainframes, and other appropriate computers. Computingdevice 550 is intended to represent various forms of mobile devices,such as personal digital assistants, cellular telephones, smartphones,and other similar computing devices. Additionally computing device 500or 550 can include Universal Serial Bus (USB) flash drives. The USBflash drives may store operating systems and other applications. The USBflash drives can include input/output components, such as a wirelesstransmitter or USB connector that may be inserted into a USB port ofanother computing device. The components shown here, their connectionsand relationships, and their functions, are meant to be exemplary only,and are not meant to limit implementations of the inventions describedand/or claimed in this document.

Computing device 500 includes a processor 502, memory 504, a storagedevice 506, a high-speed interface 508 connecting to memory 504 andhigh-speed expansion ports 510, and a low speed interface 512 connectingto low speed bus 514 and storage device 506. Each of the components 502,504, 506, 508, 510, and 512, are interconnected using various busses,and may be mounted on a common motherboard or in other manners asappropriate. The processor 502 can process instructions for executionwithin the computing device 500, including instructions stored in thememory 504 or on the storage device 506 to display graphical informationfor a GUI on an external input/output device, such as display 516coupled to high speed interface 508. In other implementations, multipleprocessors and/or multiple buses may be used, as appropriate, along withmultiple memories and types of memory. Also, multiple computing devices500 may be connected, with each device providing portions of thenecessary operations (e.g., as a server bank, a group of blade servers,or a multi-processor system).

The memory 504 stores information within the computing device 500. Inone implementation, the memory 504 is a volatile memory unit or units.In another implementation, the memory 504 is a non-volatile memory unitor units. The memory 504 may also be another form of computer-readablemedium, such as a magnetic or optical disk.

The storage device 506 is capable of providing mass storage for thecomputing device 500. In one implementation, the storage device 506 maybe or contain a computer-readable medium, such as a floppy disk device,a hard disk device, an optical disk device, or a tape device, a flashmemory or other similar solid state memory device, or an array ofdevices, including devices in a storage area network or otherconfigurations. A computer program product can be tangibly embodied inan information carrier. The computer program product may also containinstructions that, when executed, perform one or more methods, such asthose described above. The information carrier is a computer- ormachine-readable medium, such as the memory 504, the storage device 506,or memory on processor 502.

The high speed controller 508 manages bandwidth-intensive operations forthe computing device 500, while the low speed controller 512 manageslower bandwidth-intensive operations. Such allocation of functions isexemplary only. In one implementation, the high-speed controller 508 iscoupled to memory 504, display 516 (e.g., through a graphics processoror accelerator), and to high-speed expansion ports 510, which may acceptvarious expansion cards (not shown). In the implementation, low-speedcontroller 512 is coupled to storage device 506 and low-speed expansionport 514. The low-speed expansion port, which may include variouscommunication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet)may be coupled to one or more input/output devices, such as a keyboard,a pointing device, a scanner, or a networking device such as a switch orrouter, e.g., through a network adapter.

The computing device 500 may be implemented in a number of differentforms, as shown in the figure. For example, it may be implemented as astandard server 520, or multiple times in a group of such servers. Itmay also be implemented as part of a rack server system 524. Inaddition, it may be implemented in a personal computer such as a laptopcomputer 522. Alternatively, components from computing device 500 may becombined with other components in a mobile device (not shown), such asdevice 550. Each of such devices may contain one or more of computingdevice 500, 550, and an entire system may be made up of multiplecomputing devices 500, 550 communicating with each other.

Computing device 550 includes a processor 552, memory 564, aninput/output device such as a display 554, a communication interface566, and a transceiver 568, among other components. The device 550 mayalso be provided with a storage device, such as a microdrive or otherdevice, to provide additional storage. Each of the components 550, 552,564, 554, 566, and 568, are interconnected using various buses, andseveral of the components may be mounted on a common motherboard or inother manners as appropriate.

The processor 552 can execute instructions within the computing device550, including instructions stored in the memory 564. The processor maybe implemented as a chipset of chips that include separate and multipleanalog and digital processors. Additionally, the processor may beimplemented using any of a number of architectures. For example, theprocessor 510 may be a CISC (Complex Instruction Set Computers)processor, a RISC (Reduced Instruction Set Computer) processor, or aMISC (Minimal Instruction Set Computer) processor. The processor mayprovide, for example, for coordination of the other components of thedevice 550, such as control of user interfaces, applications run bydevice 550, and wireless communication by device 550.

Processor 552 may communicate with a user through control interface 558and display interface 556 coupled to a display 554. The display 554 maybe, for example, a TFT (Thin-Film-Transistor Liquid Crystal Display)display or an OLED (Organic Light Emitting Diode) display, or otherappropriate display technology. The display interface 556 may compriseappropriate circuitry for driving the display 554 to present graphicaland other information to a user. The control interface 558 may receivecommands from a user and convert them for submission to the processor552. In addition, an external interface 562 may be provided incommunication with processor 552, so as to enable near areacommunication of device 550 with other devices. External interface 562may provide, for example, for wired communication in someimplementations, or for wireless communication in other implementations,and multiple interfaces may also be used.

The memory 564 stores information within the computing device 550. Thememory 564 can be implemented as one or more of a computer-readablemedium or media, a volatile memory unit or units, or a non-volatilememory unit or units. Expansion memory 574 may also be provided andconnected to device 550 through expansion interface 572, which mayinclude, for example, a SIMM (Single In Line Memory Module) cardinterface. Such expansion memory 574 may provide extra storage space fordevice 550, or may also store applications or other information fordevice 550. Specifically, expansion memory 574 may include instructionsto carry out or supplement the processes described above, and mayinclude secure information also. Thus, for example, expansion memory 574may be provide as a security module for device 550, and may beprogrammed with instructions that permit secure use of device 550. Inaddition, secure applications may be provided via the SIMM cards, alongwith additional information, such as placing identifying information onthe SIMM card in a non-hackable manner.

The memory may include, for example, flash memory and/or NVRAM memory,as discussed below. In one implementation, a computer program product istangibly embodied in an information carrier. The computer programproduct contains instructions that, when executed, perform one or moremethods, such as those described above. The information carrier is acomputer- or machine-readable medium, such as the memory 564, expansionmemory 574, or memory on processor 552 that may be received, forexample, over transceiver 568 or external interface 562.

Device 550 may communicate wirelessly through communication interface566, which may include digital signal processing circuitry wherenecessary. Communication interface 566 may provide for communicationsunder various modes or protocols, such as GSM voice calls, SMS, EMS, orMMS messaging, CDMA, TDMA, PDC, WCDMA, CDMA2000, or GPRS, among others.Such communication may occur, for example, through radio-frequencytransceiver 568. In addition, short-range communication may occur, suchas using a Bluetooth, WiFi, or other such transceiver (not shown). Inaddition, GPS (Global Positioning System) receiver module 570 mayprovide additional navigation- and location-related wireless data todevice 550, which may be used as appropriate by applications running ondevice 550.

Device 550 may also communicate audibly using audio codec 560, which mayreceive spoken information from a user and convert it to usable digitalinformation. Audio codec 560 may likewise generate audible sound for auser, such as through a speaker, e.g., in a handset of device 550. Suchsound may include sound from voice telephone calls, may include recordedsound (e.g., voice messages, music files, etc.) and may also includesound generated by applications operating on device 550.

The computing device 550 may be implemented in a number of differentforms, as shown in the figure. For example, it may be implemented as acellular telephone 580. It may also be implemented as part of asmartphone 582, personal digital assistant, or other similar mobiledevice.

Various implementations of the systems and techniques described here canbe realized in digital electronic circuitry, integrated circuitry,specially designed ASICs (application specific integrated circuits),computer hardware, firmware, software, and/or combinations thereof.These various implementations can include implementation in one or morecomputer programs that are executable and/or interpretable on aprogrammable system including at least one programmable processor, whichmay be special or general purpose, coupled to receive data andinstructions from, and to transmit data and instructions to, a storagesystem, at least one input device, and at least one output device.

These computer programs (also known as programs, software, softwareapplications or code) include machine instructions for a programmableprocessor, and can be implemented in a high-level procedural and/orobject-oriented programming language, and/or in assembly/machinelanguage. As used herein, the terms “machine-readable medium” and“computer-readable medium” refer to any computer program product,apparatus and/or device (e.g., magnetic discs, optical disks, memory,Programmable Logic Devices (PLDs)) used to provide machine instructionsand/or data to a programmable processor, including a machine-readablemedium that receives machine instructions as a machine-readable signal.The term “machine-readable signal” refers to any signal used to providemachine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniquesdescribed here can be implemented on a computer having a display device(e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor)for displaying information to the user and a keyboard and a pointingdevice (e.g., a mouse or a trackball) by which the user can provideinput to the computer. Other kinds of devices can be used to provide forinteraction with a user as well; for example, feedback provided to theuser can be any form of sensory feedback (e.g., visual feedback,auditory feedback, or tactile feedback); and input from the user can bereceived in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in acomputing system that includes a back end component (e.g., as a dataserver), or that includes a middleware component (e.g., an applicationserver), or that includes a front end component (e.g., a client computerhaving a graphical user interface or a Web browser through which a usercan interact with an implementation of the systems and techniquesdescribed here), or any combination of such back end, middleware, orfront end components. The components of the system can be interconnectedby any form or medium of digital data communication (e.g., acommunication network). Examples of communication networks include alocal area network (“LAN”), a wide area network (“WAN”), peer-to-peernetworks (having ad-hoc or static members), grid computinginfrastructures, and the Internet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

Although a few implementations have been described in detail above,other modifications are possible. In addition, the logic flows depictedin the figures do not require the particular order shown, or sequentialorder, to achieve desirable results. Other steps may be provided, orsteps may be eliminated, from the described flows, and other componentsmay be added to, or removed from, the described systems. Accordingly,other implementations are within the scope of the following claims.

What is claimed is:
 1. A computer-implemented method executed by one ormore processors, the method comprising: requesting an address associatedwith a domain name from a resolution server, the domain name included ina predetermined set of domain names for which encrypted requests are tobe identified; receiving a response from the resolution server includingtwo or more different corresponding addresses for the domain name;selecting a particular address from among the two or more differentcorresponding addresses received from the resolution server; associatingthe selected particular address with the domain name; receiving arequest to resolve the domain name; sending a response to the request toresolve the domain name, the sent response including the particularaddress associated with the domain name; receiving an encrypted requestfor a resource, the encrypted request directed to the particular addressassociated with the domain name; and determining that the encryptedrequest is directed to the domain name based on the association betweenthe particular address and the domain name, wherein the determination isperformed without decrypting the encrypted request, wherein the domainname is a first domain name, the method further comprising: requestingan address associated with a second domain name different than the firstdomain name from the resolution server; receiving a second response fromthe resolution server including one or more addresses associated withthe second domain name, wherein the one or more addresses associatedwith the second domain name includes the particular address; andmodifying the second response to remove the particular address.
 2. Themethod of claim 1, wherein the particular address includes an internetprotocol (IP) address, the method further comprising: requesting theaddress associated with the domain name from the resolution serverincludes sending a Domain Name System (DNS) request; receiving theresponse from the resolution server includes receiving a DNS response;receiving the request to resolve the domain name includes receiving aDNS request; and sending the response to the request to resolve thedomain name includes sending a DNS response.
 3. The method of claim 1,further comprising selectively decrypting the encrypted request based atleast in part on determining that the encrypted request is directed tothe domain name.
 4. The method of claim 3, wherein selectivelydecrypting the encrypted request comprises: determining that theencrypted request should be decrypted based at least in part on one ormore rules; and decrypting the encrypted request to generate decryptedinformation.
 5. The method of claim 4, further comprising: inspectingthe decrypted information; determining that the encrypted request shouldbe forwarded based at least in part on inspecting the decryptedinformation and at least in part on the one or more rules; andforwarding the encrypted request to an address associated with thedomain name.
 6. The method of claim 5, wherein forwarding the encryptedrequest comprises: re-encrypting the encrypted request; and sending theencrypted request to the address associated with the domain name.
 7. Themethod of claim 4, further comprising: inspecting the decryptedinformation; determining that the encrypted request should be forwardedbased at least in part on inspecting the decrypted information and atleast in part on the one or more rules; modifying the decryptedinformation based at least in part on the one or more rules; encryptingthe decrypted information to produce a second encrypted request; andforwarding the second encrypted request to an address associated withthe domain name.
 8. The method of claim 4, further comprising:inspecting the decrypted information; determining that the encryptedrequest should be blocked based at least in part on inspecting thedecrypted information and at least in part on the one or more rules; andblocking the encrypted request.
 9. The method of claim 8, whereinblocking the encrypted request includes sending a redirect response tothe encrypted request, the redirect response including an addressassociated with a block notification page.
 10. The method of claim 1,wherein receiving the encrypted request for the resource comprises:establishing a first secure connection with a sender of the encryptedrequest, establishing a second secure connection with an addressassociated with the resource after establishing the first secureconnection with the sender.
 11. The method of claim 1, wherein receivingthe encrypted request for the resource comprises: establishing a firstsecure connection with an address associated with the resource,establishing a second secure connection with a sender of the encryptedrequest after establishing the first secure connection with the addressassociated with the resource.
 12. The method of claim 1, wherein thedomain name is a first domain name, the method further comprising:receiving a request to resolve a second domain name different than thefirst domain name; determining that the second domain name is notincluded in the predetermined set of domain names; and sending aresponse to the request to resolve the second domain name, the responseincluding an address corresponding to the second domain name.
 13. Themethod of claim 1, further comprising: receiving a second request toresolve the domain name; determining that the domain name is associatedwith the particular address; and sending a response to the secondrequest to resolve the domain name, the response including theparticular address.
 14. The method of claim 1, wherein receiving theencrypted request for the resource includes receiving a requestaccording to Hypertext Transfer Protocol Secure (HTTPS).
 15. The methodof claim 1, further comprising selectively blocking the encryptedrequest based at least in part on determining that the encrypted requestis directed to the domain name.
 16. The method of claim 1, whereinrequesting the address for the domain name from the resolution server,receiving the response from the resolution server, and associating withthe domain name the particular address are performed in response toreceiving the request to resolve the domain name.
 17. A systemcomprising: memory for storing data; and one or more processors operableto perform operations comprising: requesting an address associated witha domain name from a resolution server, the domain name included in apredetermined set of domain names for which encrypted requests are to beidentified; receiving a response from the resolution server includingtwo or more different corresponding addresses for the domain name;selecting a particular address from among the two or more differentcorresponding addresses received from the resolution server; associatingthe selected particular address with the domain name; receiving arequest to resolve the domain name; sending a response to the request toresolve the domain name, the sent response including the particularaddress associated with the domain name; receiving an encrypted requestfor a resource, the encrypted request directed to the particular addressassociated with the domain name; and determining that the encryptedrequest is directed to the domain name based on the association betweenthe particular address and the domain name, wherein the determination isperformed without decrypting the encrypted request, wherein the domainname is a first domain name, the operations further comprising:requesting an address associated with a second domain name differentthan the first domain name from the resolution server; receiving asecond response from the resolution server including one or moreaddresses associated with the second domain name, wherein the one ormore addresses associated with the second domain name includes theparticular address; and modifying the second response to remove theparticular address.
 18. A non-transitory, computer-readable mediumstoring instructions operable when executed to cause at least oneprocessor to perform operations comprising: requesting an addressassociated with a domain name from a resolution server, the domain nameincluded in a predetermined set of domain names for which encryptedrequests are to be identified; receiving a response from the resolutionserver including two or more different corresponding addresses for thedomain name; selecting a particular address from among the two or moredifferent corresponding addresses received from the resolution server;associating the selected particular address with the domain name;receiving a request to resolve the domain name; sending a response tothe request to resolve the domain name, the sent response including theparticular address associated with the domain name; receiving anencrypted request for a resource, the encrypted request directed to theparticular address associated with the domain name; and determining thatthe encrypted request is directed to the domain name based on theassociation between the particular address and the domain name, whereinthe determination is performed without decrypting the encrypted request,wherein the domain name is a first domain name, the operations furthercomprising: requesting an address associated with a second domain namedifferent than the first domain name from the resolution server;receiving a second response from the resolution server including one ormore addresses associated with the second domain name, wherein the oneor more addresses associated with the second domain name includes theparticular address; and modifying the second response to remove theparticular address.